Forgot your password?
typodupeerror
XBox (Games) Microsoft Piracy The Almighty Buck

$1.2 Million Worth of MS Points Taken After Hackers Figure Out Code Algorithm 203

Posted by Soulskill
from the going-for-the-gusto dept.
The Save and Quit blog reports that a group of hackers figured out the algorithm behind a set of promotional codes that were each redeemable for 160 MS points, the currency used on Xbox Live. Quoting: "A person would just have to sit back and refresh over and over and rack up the 160MSP codes. Not every code would work, but a majority would. The site started to 404 due to the heavy traffic. If you have closer ties to the pirating community, you could find a program to get the codes for you. ... This method took a little more work out of the user, but it was still simple enough for a 12 year old to figure out. ... Microsoft found out about this exploit and put a stop to it immediately, but internet pirates still had enough time to steal $1.2 million worth of Microsoft Points."
This discussion has been archived. No new comments can be posted.

$1.2 Million Worth of MS Points Taken After Hackers Figure Out Code Algorithm

Comments Filter:
  • by elrous0 (869638) * on Thursday March 10, 2011 @03:12PM (#35445828)

    Wow, that's almost a full tank of gas.

  • I wonder if they're just going to ban everyone who redeemed a code worth such a small amount. Why the hell do amounts that small exist? must be for fast food promos or something.

  • by DrugCheese (266151) on Thursday March 10, 2011 @03:20PM (#35445956)

    What's the exchange rate from MS points to Schrute Bucks?

  • Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.
    • by thebra (707939)

      Just look who made more than one purchase of MS points to their account in the last week or two, that will cut down the list of possible suspects significantly. Cross-reference the transactions for which there was payment. You'll find that you have a handy list of those people who will soon find a huge "CHEATER" banner on their Xbox account.

      I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

      • I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

        Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

        • by thebra (707939)

          I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

          Read my whole post. Once you've narrowed down people who made multiple purchases in a row (a hacker who finds this trick working repeatedly is likely to do it as long as it will work) all they need to do is make sure every one of those names has PAID for his purchases. The idea here was merely to narrow it down to make the payment double-checking part go faster.

          I read your post in its entirety but it is still in the end a mostly education guess. I just don't see how Microsoft could punish based off a good guess. I realize they can ban whomever they want for what ever reason but it would just end up causing more headaches and added cost. I don't see the real payoff.

          • At which point does the "guessing" come in? This is how double-entry book-keeping works ... you reconcile the stock (in this case points) with the bank statements of deposits. There is no guessing. What OP said was that you could narrow it down so you don't have to reconcile for the entire population, just reconcile for a subset of them.
            • by EdZ (755139)
              Because MS point are not only sold directly: you can buy printed codes worth x points from brick&mortar stores, or online via non-MS resellers. MS have no way to tell if code XXXXXXXXX was purchased legitimately or generated algorithmically.
              • Yes they do. A reseller brick-and-mortar store would have *printed* tickets. Unless MS is deliberately neglecting to keep track of which codes have been printed, they have a record of which codes have been already printed - those codes would be exempt from the double-checking.

                It's quite possible that the set of generated codes on the website overlap with the set of codes on printed tickets, in which case I happily concede the argument to your favour, but my understanding is that the codes are different (
      • by Drantin (569921)

        I purchase MS points a few times a week, and I have a feeling I'm not alone. I don't see how that would help narrow down the evil doers.

        In 160MSP increments?

  • Hopefully they get banned from Live. This falls under the broad category of hate I have for gold farmers in MMOs.

  • by jeremymiles (725644) on Thursday March 10, 2011 @03:24PM (#35446016) Homepage Journal
    It's not like MS ran out of codes.
    • Re: (Score:3, Insightful)

      by BradleyUffner (103496)

      It's not like MS ran out of codes.

      Tell that to someone who legitimately had one of these codes that couldn't redeem it because someone else used it.

    • If I understand those point things correctly, if points are used to purchase something, say, a game, then Microsoft has to pay the developer. So, in a certain sense, it is stealing, and could be a good source of revenue for a developer.
  • by russotto (537200) on Thursday March 10, 2011 @03:29PM (#35446078) Journal
    It appears the algorithm wasn't actually determined. Rather, Microsoft essentially left a code generator which took unencrypted parameters available on a web page. Amateur mistake.
  • At first glance I thought it said "$1.2 Million worth of MS PowerPoints", which made me wonder "Who would pay $1.2 million for PowerPoints?"
  • ...to find the caps with the codes was to tilt the bottle.

    .
    • by demonbug (309515)

      ...to find the caps with the codes was to tilt the bottle. .

      Totally, completely, 100% off topic, but... this reminded me that when I looked at a map of Tripoli the other day I noticed this:

      Pepsi-Cola Road [google.com].

      I've been hoping to hear something about anti-government protesters on Pepsi-Cola Road ever since.

      Just like, you know... stolen Microsoft Points. Or something.

  • Curiously, the top executives are furious that their secret sauce algorithm to rack up USpoints has been leaked to this hacker. The CEO of Morgan Stanley was seen throwing a tantrum, curses and a few chairs, "This is our trick. This is what we have been doing to create money in the Federal Reserve accounts. And now some stupid hacker is using it to rack up real money? I wanna know who is responsible and heads are goin' to roll"
  • Boggles the mind (Score:5, Insightful)

    by TheSpoom (715771) <{ten.00mrebu} {ta} {todhsals}> on Thursday March 10, 2011 @04:49PM (#35447116) Homepage Journal

    Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

    • by thebra (707939)
      Because that would cost a lot more money to operate than a piece of software.
    • by geekoid (135745)

      Cost and reuse.

    • by tlhIngan (30335)

      Why weren't these codes completely random? Why don't they have a database of valid and used codes, where codes only get inserted when they're printed on cards that are then shipped to stores? Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

      You're confusing this article and the prepaid points cards. First, they were 160 points at a time. No prepaid card comes with such little points - I think the smallest I've every seen was 400 as part of some

      • by plover (150551) *

        What happened then was people figured out how to get 160 points without doing X, and with enough hackery, figure out the algorithm behind it.

        According to TFA it doesn't appear that they ever figured out the algorithm. They just figured out how to get 160 points by refreshing web page X, and then repeated until they had a lot of points.

        As usual the /. headline is sufficiently lacking in factual basis. The "hackers" figured out a URL, not an algorithm.

    • by yuhong (1378501)

      Perhaps most importantly, why would you EVER have a public web-accessible interface to generate codes on the fly?

      Because they sent emails with a link to it passing an ID. The problem is that the ID is easily guessable.

  • Wait! We were talking about the US Dollar right?

  • When sites are under load, they 500 or 503. I've never seen a server 404 under load. Plus, this wasn't a case of just hitting F5 to refresh and get a new code. URLs had to be uniquely tampered with. At least read the source article, editors, before posting sensationalist summaries. Sheesh. And according to other links posted in this thread, MS was able to track the "hackers" and ban them. So, it seems their system worked. If anything, perhaps it was a honey pot they put up to try to see what players

Hard work never killed anybody, but why take a chance? -- Charlie McCarthy

Working...